forensics on video conferencing...

© 2014, n.runs professionals GmbH – Security Research Team Moritz Jodeit

Forensics On Video Conferencing Systems

University of Erlangen-Nuremberg January 28th, 2014


Agenda

• Part 1 – Hacking VC Systems – Attack surface

– Firmware analysis

– Device rooting

– Finding and exploiting bugs

• Part 2 – Forensic Analysis – Challenges

– Creating forensic copies

– Finding forensic evidence


Who am I?

• Moritz Jodeit (Twitter: @moritzj)

• Hamburg

• Principal Consultant at n.runs

• Application Security

– Reversing, bug hunting, writing exploits, …

• Black Hat EU 2013 Talk

– „Hacking Video Conferencing Systems“


Motivation?


Hacking Videoconf Systems? yay!

Neue NSA-Dokumente: US-Geheimdienst hörte Zentrale der Vereinten Nationen ab Demnach ist es der NSA im Sommer 2012 gelungen, in die interne Videokonferenzanlage der Völkergemeinschaft einzudringen und die Verschlüsselung zu knacken. Dies habe für "eine dramatische Verbesserung der Daten aus Video-Telekonferenzen und der Fähigkeit, diesen Datenverkehr zu entschlüsseln" gesorgt, heißt es in einem geheimen NSA-Dokument. "Der Datenverkehr liefert uns die internen Video-Telekonferenzen der Uno (yay!)". Innerhalb von knapp drei Wochen sei die Zahl der entschlüsselten Kommunikationen von 12 auf 458 angestiegen. In einem Fall habe die NSA zudem den chinesischen Geheimdienst dabei ertappt, ebenfalls zu spionieren. Daraufhin haben die NSA abgefangen, was zuvor die Chinesen abgehört hatten.

Quelle: http://www.spiegel.de/politik/ausland/nsa-hoerte-zentrale-der-vereinte-nationen-in-new-york-ab-a-918421.html


How it all started

• Compromising „secured“ VC systems?

• Basic assumptions – Current Firmware

– Hardened system configuration

– No administrative interfaces

– Only H.323 or SIP ports reachable • Alternative: Only access via PSTN


Revenue Market Share

Top Five Enterprise Videoconferencing and Telepresence Vendors

Cisco (50.6%)

Polycom (26.3%)

Others (13.1%)

Lifesize (5%)

Teliris (2.6%)

Vidyo (2.5%)

Published by IDC for Q1 2012


Polycom

• One of the leading vendors

• Different telepresence solutions

• Most popular units cost up to $25,000

• Polycom customers

– Government agencies / ministries worldwide

– World‘s 10 largest banks

– 6 largest insurance companies


Polycom HDX Systems

• Popular video conferencing solution

• Different configs (HDX 4000 – 9000)

• HDX 7000 HD (our lab equipment)

– EagleEye HD camera

– Mica Microphone array

– Remote control

– Connected to ext. display


Attack Surface


Attack Surface

• Polycom HDX Web Interface

• Provisioning Service

• API Interface (serial console, TCP port 24)

• Polycom Command Shell (TCP port 23)

• SNMP

• Video conferencing protocols

– H.323 and SIP


Firmware Analysis

• Software updates (support.polycom.com)

• ZIP archives contain single PUP file

• Manual installation or via provisioning

• Analysis based on version 3.0.5


PUP File Structure


PUP File Structure

• PUP file header

• Bootstrap archive

– Bootstrap code to install update

– Main functionality in setup.sh script

• Update package


PUP Header

• Figuring out the PUP header file format

• Found puputils.ppc in extracted firmware

– Polycom Update Utilities

– Used to verify and install updates

– Can be run inside Qemu (Debian on PPC)


PUP Header

• Every PUP file starts with fixed PUP file ID

– „PPUP“ or „PPDP“

• Several fixed-size fields

– Padded with null bytes


PUP Header Length (bytes) Description

5 PUP File ID

4 Header Version

20 Header MAC Signature

32 Processor Type

32 Project Code Name

16 Software Version

16 Type of Software

32 Hardware Model

16 Build Number

32 Build Date

16 Build By

16 File Size (without header)

5 Compression algorithm

445 Supported Hardware

81 Signature (ASN.1 encoded)


Header HMAC

• Header HMAC value stored in PUP header

• Verification process

1. Set Header HMAC field to zero

2. Calculate HMAC over PUP header

3. Compare result with stored value

4. Abort update if result doesn‘t match


Header HMAC


Header HMAC

• Secret is required for verification

– Must be stored on the device

– Can be extracted :)

• Hardcoded in puputils.ppc binary


Header HMAC

• Secret allows to calculate valid HMAC

• No reversing of HMAC algorithm required

– Correct HMAC is part of the error message!


Public Key DSA Signature

• 2nd protection to prevent file tampering

– Used in addition to the header HMAC

• Verifies integrity of the whole file

– Including the PUP header

• Signature is stored in PUP header

– ASN.1 encoded form

• No further analysis conducted


Device Rooting


Device Rooting

• No system level access to the device

• Reasons for getting root access

– Simplifies bug hunting

– More device control for fuzzing

• Process monitoring

• Restarting processes

– Makes exploit development a lot easier


Device Rooting

• Can be achieved in different ways

– Exploiting command injection

– Direct modification of CF card

– Undocumented Developer Boot Mode

– …


HDX Boot Modes

• Production vs. Development boot mode

• Development mode enables telnet server

– Allows root login without password

– For details see my BH 2013 whitepaper


Device Rooting


System Architecture

• MPC8349EMITX SoC

– Freescale e300c1 PowerPC processor

• Linux-based system

• Kernel 2.6.33.3

• U-Boot boot loader

• Comes with standard binaries

– busybox, wget, gdbserver, …


Main Processes

• AppMain Java Process

– GUI

– Web interface functionality

– User authentication + crypto functionality

• Polycom AVC

– H.323

– SIP


Polycom AVC

• Implemented in /opt/polycom/bin/avc

• Huge non-stripped binary (~ 50 MB)

• Implemented in C

• Running as root

• E.g. implementation of H.323 and SIP

– and many other complicated protocols…

• What could possibly go wrong? :)


Polycom AVC

• The place to look for bugs in VC protocols

• > 800 xrefs to strcpy()

• > 1400 xrefs to sprintf()

• No exploit mitigations at all

• Easy to reverse engineer due to symbols


Vulndev Environment

• Create debugging environment on device

– Eases bug hunting

– Simplifies exploit development process

• GDB remote debugging

– System already ships with a gdbserver binary

• Disabling Polycom watchdog daemon

– Create the watchdog_disable.dat config file


Bug Hunting

• We focused on the H.323 protocol

– Old and complex protocol

– Still in use at many locations nowadays

• Many different H.323 signaling protocols

– We looked at the H.225.0-Q.931 protocol


H.225.0-Q.931

• Consists of binary encoded messages

• Messages consist of Information Elements (IE‘s)

– Encoded in ASN.1

• Several different IE‘s are defined

• IE‘s provide information to remote site

– Callers identity, capabilities, …


H.225.0-Q.931


Call Initiation

• Client connects to TCP port 1720

• Sends SETUP packet

– Indicates clients desire to start a call

• SETUP packet is parsed even if call fails

– E.g. call is not accepted by remote site

• Full call establishment requires more msgs

– But not relevant for this discussion


Call Detail Records

• HDX systems store call detail records (CDRs)

– Also written for failed calls

– Every SETUP packet generates a CDR entry

• CDR table stored in SQLite database

– Written records include

• Call start/end time

• Call direction

• Remote system name Extracted from Display IE

• …


Format String Vulnerability

• SQL query string for writing CDR entry

– Passed as format str to the vsnprintf() function

• We control the embedded Display IE

• Bug triggered with single SETUP packet


Exploit Strategy

1. Turn bug into write4 primitive

– Write 4 arbitrary bytes at arbitrary address

– Single SETUP packet writes 4 bytes

2. Use write4 primitive to store shellcode

3. Use write4 to overwrite function ptr

– And let the code jump into stored shellcode

4. PROFIT!


Format String Stack Layout


Shellcode

• Simple PowerPC system() shellcode

– Provides a back-connect shell

– Executes our HDX payload

• HDX payload

– Controls the device‘s peripherals

• PTZ camera, microphone, display, etc.

• Based on Polycom‘s internal IPC mechanism (XCOM)

– For further details see my BH 2013 whitepaper


Function Pointer Constraints

• The function ptr has a few requirements

– We need to be able to trigger it remotely

• Restrictions on the format string

– Bytes in fmt str must be 0x00 < b < 0x80

– Otherwise logging code is not hit

• Same restriction applies to address of function ptr


Finding Function Pointers

• Highlighted potential addresses in IDA

• Checked xrefs for use of PowerPC

mtctr / bctrl instructions


Function Pointer Overwrite

• Timer thread running in VideoBitsStreamPoleTimerProc()

• Jumps to [CodecPoleList]+0x1494


Remote Root Exploit


Forensic Analyis


Forensic Analysis Challenges

• Requires deep understanding of system

– Documentation not publicly available

– Requires extensive research up front

• Every vendor uses their custom firmware

• But even for the same vendor…

– Different firmware versions

– Different hardware releases


First Steps

• Disconnect the power supply!

– HDX systems log a lot of information

– Use of a pretty small ring buffer

– Evidence gets overwritten quickly

• Do not do a normal shutdow

– A lot information gets logged in that case!


Creating a Forensic Copy

• We can‘t work on the system directly

• Forensic copy of the internal memory

• Further analysis only conducted on image


Extracting Memory Cards

• HDX systems use CompactFlash cards

• Various HDX versions have different cases

– Different ways to get to the CF card

– HDX 8000 vs. HDX 9000

• Extracting the CF card can be a bit tricky in some cases…


Opening HDX Systems

DISCLAIMER Having the right hardware

tools might make the job easier :)


Polycom HDX 8000

• One of the smaller HDX systems

• Can be opened quite easily

– If you know how to do it ;)

• Three screws need to be removed

• Side of the case can be slided to the front


Polycom HDX 8000


Polycom HDX 9000

• One of the bigger HDX systems

• Case can be opened quite easily

– Getting access to the CF card is another story

• Just remove all screws on back and sides


Polycom HDX 9000


Polycom HDX 9000

• CF card is hidden beneath several PCBs


Polycom HDX 9000

• Accessing the CF card is tricky

• Removing all PCBs

– Would require a complete dismount

– Could easily damage something :(

• We didn‘t have the right tools

– We needed to improvise :P


Removing Internal Modem


Removing Power Connectors


Removing CF Card Screw

• Touching the screw holding the CF card with a single finger is now possible



• Place one hand under covering PCB

• Touching screw with single finger is now possible

• But screw must be loosened first…


Used Tools ;)



• Extended nipper used to loosen screw

• Nipper can‘t be rotated enough

• Used magnetic stick to turn the screw

• This was really fiddly and required nerves!

– Probably lost some hair during this operation


Removing CF Card


File System Analysis


File System Analysis

• Analysis on created CF card image

• HDX systems have four partitions

Partition Description Type Mounted

/dev/hda1 Boot related files, Linux kernel image ext2 ro

/dev/hda2 Root file system ext2 ro

/dev/hda3 Log and configuration files ext3 rw

/dev/hda4 Factory restore file system ext2 --


Log Files

• Stored in /var/log on /dev/hda3

• Pretty extensive logging by default

– Good for the forensic analysis

– Bad, because logs get overwritten quickly


Things to look for

• Failed or successful login attempts

• Initiated video calls

• Typical Linux-based forensics stuff

– Crashed daemons

– reboots, etc.


Configuration Files

• Stored in /dat directory on /dev/hda3

• Every setting stored in single .dat file

• Text-based files

– One or more lines of text


Interesting Config Files

• Version of current firmware

– Stored in systemsoftwareversion.dat

– Known vulnerabilities in old versions

• Hashes of previously set passwords

– historymeetingpassword.dat

– historyremotepassword.dat

– historyroomsw.dat


Password Hashes

• Stored to prevent password re-use

• Passwords stored as SHA1 hashes

– Unsalted of course :)

• Cracking the SHA1 hashes

– Identifies potentially weak passwords

– Might give you password set by an attacker

• Timestamps indicate time of PW change


Last Adminstrator Login

• Last admin login is recorded

– lastloginfromadmin.dat

– lastloginsuccessdatetimeadmin.dat

• Can be correlated with timestamps


Call Detail Records

• Stored as a SQLite database

– /data/polycom/cdr/new/localcdr.db

• Included information

– Start and end date/time

– Call duration

– Called number

– Call direction

– Used protocols, etc.


Polycom Command Shell

• Was affected by remote vulns in the past

• Check if PSH was enabled

– telnet_enabled.dat


Root File System

• Always mounted read-only

– Only mounted read-write for updates

• Check last-modified timestamps

• Match all files against original image


Use of Public Exploits

• Access times might identify use of specific public exploits…

• Metasploit PSH Telnet Auth Bypass

– Module psh_auth_bypass.rb

– Exploits auth bypass + command injection

– Uses OpenSSL reverse connect payload


Use of Public Exploits

• cmd/unix/reverse_openssl

– Uses busybox and openssl binaries

– Binaries not regularly called in production


Factory Restore Filesystem

• Contains an old firmware version

– Current version at the time of shipping?

• Never modified or mounted in prod!

• Attackers might use it for persistency

• Match all files against (old) original image

• Unusual timestamps should make you suspicious


Conclusion

• Forensics on VC systems requires internal system knowledge

• Knowing how to break them helps

• No advanced attacks observed yet

– But they happen! (see NSA hack)

• Having the right hardware tools helps :P


Questions?


Thank You!

Moritz Jodeit n.runs professionals GmbH

Principal Security Consultant Nassauer Straße 60

D-61440 Oberursel

phone: +49 6171 699-530

fax: +49 6171 699-199

mobile: +49 170 288 4291

[email protected] www.nruns.com

it. consulting . infrastructure . security . business

forensics on video conferencing...

Documents